[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Building openldap with overlays
- To: "Howard Chu" <hyc@symas.com>
- Subject: RE: Building openldap with overlays
- From: "Spicer, Kevin (MBLEA it)" <Kevin.Spicer@bmrb.co.uk>
- Date: Sun, 21 Nov 2004 11:49:11 -0000
- Cc: <openldap-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcTPvOwok4WKVVO+SDSUSQvR2kZ9BAAAo7rA
- Thread-topic: Building openldap with overlays
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
> Those attributes are modified during a Bind operation, and no other
attributes are
> being touched. During a Modify/Password operation, multiple attributes
are being
> modified, some requested by the user, so the operation must be
performed as the user.
That makes sense, thanks for the explanation.
> The pwdReset attribute will only affect a normal LDAP client, because
it only restricts
> subsequent LDAP operations. Since pam_ldap just does a Bind and
nothing else, it has no
> effect. (And presumably pam_ldap doesn't check the response control
for the Reset error
> code.) What I suggest instead is to create a second Policy entry that
has a
> passwordMaxAge of 1 second (or somesuch) and set the user's policyDN
to point to that
> entry, so you don't have to corrupt the pwdLastChanged value.
That sounds good, but isn't the policy only checked when the user
attempts to bind, so I would have to leave the policyDN on the 1 second
expiry (meaning the password would constantly expire). When binding is
the policy applied before the password is verified? If so I could
change the policyDN, sleep 1 attempt to bind using a bogus password,
which would then expire the password accoriding to the policy, then
change the policy back to what it should be?
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.